In the old days, there was a physical cable running from A to B. One server ran just one application. Auditors could see the boundaries and could assess IT security accordingly. But today, matters have changed considerably. The virtualisation of X applications over Y servers, and the use of the cloud make it impossible to see physically what is going on. IT installations must still be audited for quality and risk, but many auditors do not fully understand the new virtual computing models. Some auditor education may be in order.
Given that many IT security auditors already know about traditional pre-virtualisation environments (although mainframes have been virtualised for some time!), the following pointers about the new model can be a starting point.
- Virtualization means a new operating system and management layer. Security should not be applied separately, but integrated as a policy and a methodology at each stage of the implementation.
- A virtualised IT infrastructure increases the potential attack surface. The layered computing model with its host operating systems, hypervisor and other virtual layers multiplies potential vulnerabilities.
- IT employee roles change with virtualisation. Where there were three actors before for the system, the network and the security, there is often now just one for the virtualised platform. This kind of virtual dictatorship is a risk in itself.
- Virtualised environments can and do change rapidly, as virtual machines are “spun up” or deleted. The rapid pace of configuration and change can easily lead to errors and thence to data compromise. Robust automation is increasingly important in order to ensure security.
- Virtual machines can be attacked from anywhere over the network. Physical security measures no longer have the same effectiveness and may even have none at all in this context.
Security controls in general need to be re-designed and evaluated differently. Virtualisation, while saving money by using fewer servers for instance, may create additional expenses elsewhere, such as the extra work needed to ensure data privacy and compliance. Security auditors will also have a bigger role to play now, not just in identifying weaknesses and risks, but also in encouraging new best practices.